[unisog] Pen testers after my own heart...
numatrix at ufl.edu
Mon Jun 12 19:18:27 GMT 2006
Gary Flynn wrote:
> Here is an article about a similar test using CDs instead
> of USB keys:
> And another article covering the issue in more detail:
That second article is wrong. It claims that:
"But there is another important threat that portable storage poses to
today's information systems. Plug an iPod or USB stick into a PC running
Windows and the device can literally take over the machine and search
for confidential documents, copy them back to the iPod or USB's internal
storage, and hide them as "deleted" files."
That is just plain incorrect. From:
Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk
drives. If you need to make a USB storage device perform Autorun, the
device must not be marked as a removable media device and the device
must contain an Autorun.inf file and a startup application.
The removable media device setting is a flag contained within the SCSI
Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1
(indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero
indicates that the device is not a removable media device. A RMB of one
indicates that the device is a removable media device. Drivers obtain
this information by using the StorageDeviceProperty request.
ipods and nearly all usb sticks are all classified as removable media
and this you cannot enable autorun without some other program already
running on the PC (heck, that's why ipods require the ipodagent.exe
running on the host PC to detect the ipod insertion).
Jordan Wiens, CISSP
UF Security Engineer
More information about the unisog